Skip to content
This repository was archived by the owner on Dec 17, 2025. It is now read-only.

TC-2220 FindTopLevelPackagesRelatedToVulnerability: fix response builder #206

Merged
mrizzi merged 1 commit into from
Feb 4, 2025
Merged

TC-2220 FindTopLevelPackagesRelatedToVulnerability: fix response builder #206

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions demo/graphql/queries-trustification.gql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -502,3 +502,57 @@ query TC_1928_FindVulnerabilityBySbomURI {
}
}
}

mutation TC_2220_OSV_GHSA_vulnerability{
ingestVulnerability (
vuln: {
vulnerabilityInput : {
type: "osv"
vulnerabilityID: "GHSA-2363-cqg2-863c"
}
}
){vulnerabilityNodeID}
}

mutation TC_2220_OSV_GHSA_certify_vuln {
ingestCertifyVuln(
pkg: {
packageInput: {
type: "maven"
namespace: "org.jdom"
name: "jdom"
version: "1.1"
}
}
vulnerability: {
vulnerabilityInput: {
type: "osv"
vulnerabilityID: "GHSA-2363-cqg2-863c"
}
}
certifyVuln: {
timeScanned: "2025-02-04T11:03:05.999999999Z"
dbUri: "test"
dbVersion: "0.0.0"
scannerUri: "test"
scannerVersion: "0.0.0"
origin: "test"
collector: "test"
documentRef: "test"
}
)
}

query TC_2220_find_product_by_cve {
findTopLevelPackagesRelatedToVulnerability(vulnerabilityID: "ghsa-2363-cqg2-863c") {
... on CertifyVuln {
...allCertifyVulnTree
}
... on Package {
...allPkgTree
}
... on IsDependency {
...allIsDependencyTree
}
}
}
13 changes: 11 additions & 2 deletions internal/testing/e2e-trustification/e2e
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/ex

echo @@@@ Running TC_1609 queries and validating output

cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .findDependentProduct' > "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct | sort_by(.digest) | .[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .' > "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
diff -u "${SCRIPT_DIR}/expectTC_1609_FindDependentProduct.json" "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"

echo @@@@ Ingesting TC_1757_openssl-3.0.7-18.el9_2.spdx.json into server
Expand Down Expand Up @@ -166,11 +166,20 @@ echo @@@@ Ingesting alpine-cyclonedx.json into server for TC-1842
time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/alpine-cyclonedx.json;

echo @@@@ Running TC-1842 queries and validating output
cat "$queries" | gql-cli http://localhost:8080/query -o TC_1842_HasMetadata | jq 'del(.. | .id?) | .HasMetadata ' > "${GUAC_DIR}/gotTC_1842_HasMetadata.json"
cat "$queries" | gql-cli http://localhost:8080/query -o TC_1842_HasMetadata | jq 'del(.. | .id?) | .HasMetadata[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .HasMetadata ' > "${GUAC_DIR}/gotTC_1842_HasMetadata.json"
diff -u "${SCRIPT_DIR}/expectTC_1842_HasMetadata.json" "${GUAC_DIR}/gotTC_1842_HasMetadata.json"

echo @@@@ Running TC-1928 queries
cat "$queries" | gql-cli http://localhost:8080/query -o TC_1928_FindVulnerabilityBySbomURI | jq ' .findVulnerabilityBySbomURI ' > "${GUAC_DIR}/gotTC_1928_FindVulnerabilityBySbomURI.json"
diff -u "${SCRIPT_DIR}/expectTC_1928_FindVulnerabilityBySbomURI.json" "${GUAC_DIR}/gotTC_1928_FindVulnerabilityBySbomURI.json"

echo @@@@ Ingesting data for TC-2220
time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/rhel-9.4-slimmed-down.json;
cat "$queries" | gql-cli http://localhost:8080/query -o TC_2220_OSV_GHSA_vulnerability
cat "$queries" | gql-cli http://localhost:8080/query -o TC_2220_OSV_GHSA_certify_vuln

echo @@@@ Running TC-2220 queries
cat "$queries" | gql-cli http://localhost:8080/query -o TC_2220_find_product_by_cve | jq 'del(.. | .id?) | del(.. | .origin?) | .findTopLevelPackagesRelatedToVulnerability[] ' > "${GUAC_DIR}/gotTC_2220_FindProductByCVE.json"
diff -u "${SCRIPT_DIR}/expectTC_2220_FindProductByCVE.json" "${GUAC_DIR}/gotTC_2220_FindProductByCVE.json"

# Note: graphql_playground is left running, CI will clean it up
32 changes: 16 additions & 16 deletions internal/testing/e2e-trustification/expectTC_1609_FindDependentProduct.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,21 @@
"type": "maven",
"namespaces": [
{
"namespace": "com.example",
"namespace": "com.redhat.quarkus.platform",
"names": [
{
"name": "demo",
"name": "quarkus-bom",
"versions": [
{
"version": "0.0.1-SNAPSHOT",
"version": "2.13.8.Final-redhat-00004",
"qualifiers": [
{
"key": "repository_url",
"value": "https://maven.repository.redhat.com/ga/"
},
{
"key": "type",
"value": "jar"
"value": "pom"
}
],
"subpath": ""
Expand All @@ -26,9 +30,9 @@
}
]
},
"uri": "urn:uuid:4dd9ce9a-b3f2-47c9-b670-a7884f29fd21",
"uri": "https://access.redhat.com/security/data/sbom/beta/spdx/quarkus-bom-d6ecbbd9-31bf-46fd-afda-8082120f5260",
"algorithm": "sha256",
"digest": "d2d350e6a166d24530297215b415a041cef1942394528bc8b625dd123a401341",
"digest": "4087ad9b170efe11192ff2dd28ec11c3c07e0d859dba42685d2665aa4086bcf8",
"collector": "FileCollector"
},
{
Expand All @@ -37,21 +41,17 @@
"type": "maven",
"namespaces": [
{
"namespace": "com.redhat.quarkus.platform",
"namespace": "com.example",
"names": [
{
"name": "quarkus-bom",
"name": "demo",
"versions": [
{
"version": "2.13.8.Final-redhat-00004",
"version": "0.0.1-SNAPSHOT",
"qualifiers": [
{
"key": "repository_url",
"value": "https://maven.repository.redhat.com/ga/"
},
{
"key": "type",
"value": "pom"
"value": "jar"
}
],
"subpath": ""
Expand All @@ -62,9 +62,9 @@
}
]
},
"uri": "https://access.redhat.com/security/data/sbom/beta/spdx/quarkus-bom-d6ecbbd9-31bf-46fd-afda-8082120f5260",
"uri": "urn:uuid:4dd9ce9a-b3f2-47c9-b670-a7884f29fd21",
"algorithm": "sha256",
"digest": "4087ad9b170efe11192ff2dd28ec11c3c07e0d859dba42685d2665aa4086bcf8",
"digest": "d2d350e6a166d24530297215b415a041cef1942394528bc8b625dd123a401341",
"collector": "FileCollector"
}
]
205 changes: 205 additions & 0 deletions internal/testing/e2e-trustification/expectTC_2220_FindProductByCVE.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
[
{
"package": {
"type": "maven",
"namespaces": [
{
"namespace": "org.jdom",
"names": [
{
"name": "jdom",
"versions": [
{
"version": "1.1",
"qualifiers": [],
"subpath": ""
}
]
}
]
}
]
},
"vulnerability": {
"type": "osv",
"vulnerabilityIDs": [
{
"vulnerabilityID": "ghsa-2363-cqg2-863c"
}
]
},
"metadata": {
"dbUri": "test",
"dbVersion": "0.0.0",
"scannerUri": "test",
"scannerVersion": "0.0.0",
"timeScanned": "2025-02-04T11:03:06Z",
"collector": "test"
}
},
{
"type": "maven",
"namespaces": [
{
"namespace": "org.jdom",
"names": [
{
"name": "jdom",
"versions": [
{
"version": "1.1",
"qualifiers": [],
"subpath": ""
}
]
}
]
}
]
},
{
"justification": "Derived from SPDX CONTAINED_BY relationship",
"versionRange": "1.1",
"package": {
"type": "rpm",
"namespaces": [
{
"namespace": "redhat",
"names": [
{
"name": "maven-plugin-bundle",
"versions": [
{
"version": "5.1.1-5.el9",
"qualifiers": [
{
"key": "arch",
"value": "src"
}
],
"subpath": ""
}
]
}
]
}
]
},
"dependencyPackage": {
"type": "maven",
"namespaces": [
{
"namespace": "org.jdom",
"names": [
{
"name": "jdom",
"versions": [
{
"version": "1.1",
"qualifiers": [],
"subpath": ""
}
]
}
]
}
]
},
"collector": "FileCollector"
},
{
"type": "rpm",
"namespaces": [
{
"namespace": "redhat",
"names": [
{
"name": "maven-plugin-bundle",
"versions": [
{
"version": "5.1.1-5.el9",
"qualifiers": [
{
"key": "arch",
"value": "src"
}
],
"subpath": ""
}
]
}
]
}
]
},
{
"justification": "Derived from SPDX PACKAGE_OF relationship",
"versionRange": "5.1.1-5.el9",
"package": {
"type": "guac",
"namespaces": [
{
"namespace": "pkg",
"names": [
{
"name": "RHEL-9.4.0.Z.MAIN+EUS",
"versions": [
{
"version": "9.4.0",
"qualifiers": [],
"subpath": ""
}
]
}
]
}
]
},
"dependencyPackage": {
"type": "rpm",
"namespaces": [
{
"namespace": "redhat",
"names": [
{
"name": "maven-plugin-bundle",
"versions": [
{
"version": "5.1.1-5.el9",
"qualifiers": [
{
"key": "arch",
"value": "src"
}
],
"subpath": ""
}
]
}
]
}
]
},
"collector": "FileCollector"
},
{
"type": "guac",
"namespaces": [
{
"namespace": "pkg",
"names": [
{
"name": "RHEL-9.4.0.Z.MAIN+EUS",
"versions": [
{
"version": "9.4.0",
"qualifiers": [],
"subpath": ""
}
]
}
]
}
]
}
]
Loading